The Android Plugin is a new application-level virtualization technology in Android system. Android Plugin allows a host app to create a virtual environment, in which any other APK files can be directly launched as runnable plugins without the installation. Unlike the dynamic code loading, the plugin-enabled host app provides a proxy layer between plugin apps and the Android framework. This virtualization technology has been applied in the development of hot apps, such as the "Parallel Space" app. However, the Android Plugin technology has completely changed the landscape of Android ecosystem security. We will demonstrate our perspectives by proposing some attacks via Android Plugin: a) A zero-permission app can bypass the permission check and the data isolation mechanism by exploiting two vulnerabilities we discovered in Android plugin frameworks. b) A new Android phishing attack allows attackers to phish any target apps at no cost. c) The current app promotion system can also be compromised by attackers through directly launching as many as promoted apps in the plugin environment. d) With our developed tool "Z4Plugin", attackers can easily transform any malicious APK file to a new APK file, which can evade all engines in VirusTotal. At last, we have proposed mitigation solutions for above attacks.